b'                         U.S. Department of Agriculture\n\n                            Office of Inspector General\n                             Financial & IT Operations\n\n\n\n\n              Audit Report\n\nStatement on Auditing Standards No. 70 Report\non National Finance Center General Controls \xe2\x80\x93\n               Fiscal Year 2008\n\n\n\n\n                               Report No. 11401-28-FM\n                                      September 2008\n\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\nSeptember 19, 2008\n\n\n\nREPLY TO\nATTN OF:       11401-28-FM\n\nTO:            Charles R. Christopherson, Jr.\n               Chief Financial Officer\n               Office of the Chief Financial Officer\n\nTHROUGH: Kathleen A. Donaldson\n         Audit Liaison Officer\n         Office of the Chief Financial Officer\n\nFROM:          Robert W. Young             /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       Statement on Auditing Standards No. 70 Report on the National Finance Center\n               General Controls \xe2\x80\x93 Fiscal Year 2008\n\n\nThis report presents the results of our Statement on Auditing Standards (SAS) No. 70 audit at the\nNational Finance Center (NFC) for fiscal year 2008. The audit was conducted in accordance\nwith Government Auditing Standards issued by the Comptroller General of the United States and\nthe American Institute of Certified Public Accountants standards that are commonly referred to\nas a SAS No. 70 audit. This report contains an unqualified opinion on the general control\nenvironment and does not contain recommendations. The projection of any conclusions based\non our audit findings to future periods are subject to the risk that changes may alter the validity\nof such conclusions. This report is intended solely for the management of NFC, its customer\nagencies, and their auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review. If you have any\nquestions, please call me at (202) 720-6945, or have a member of your staff contact\nJane Bannon, Director, Administration and Finance Division, at (202) 720-1918.\n\x0cExecutive Summary\nStatement on Auditing Standards No. 70 Report on the National Finance Center\nGeneral Controls \xe2\x80\x93 Fiscal Year 2008 (Audit Report No. 11401-28-FM)\n\nResults in Brief    This report presents the results of our Statement on Auditing Standards (SAS)\n                    No. 70 audit on the U.S. Department of Agriculture\xe2\x80\x99s (USDA) National\n                    Finance Center (NFC) for fiscal year 2008. Our objectives were to perform\n                    procedures necessary to express opinions about whether (1) NFC\xe2\x80\x99s\n                    description of controls presents fairly, in all material respects, the aspects of\n                    NFC controls that may be relevant to a customer agency\xe2\x80\x99s internal control as\n                    it relates to an audit of financial statements; (2) the controls included in the\n                    description were placed in operation and suitably designed to achieve the\n                    associated control objectives, if those controls were complied with\n                    satisfactorily and customer agencies and subservice organizations applied the\n                    controls specified in the description; and (3) the controls we tested were\n                    operating with sufficient effectiveness to provide reasonable, but not\n                    absolute, assurance that the associated control objectives were achieved\n                    during the period from July 1, 2007, through June 30, 2008.\n\n                    NFC uses the USDA National Information Technology Center (NITC) to\n                    provide certain configuration management, contingency planning,\n                    maintenance, media protection, physical and environmental protection,\n                    system and communication protection, and system and information integrity\n                    control activities for its Human Capital Management System (EmpowHR).\n                    Our examination did not extend to NITC control activities, which were\n                    evaluated in our SAS No. 70 audit for NITC (Audit Report No. 88501-12-\n                    FM).\n\n                    In our opinion, NFC\xe2\x80\x99s description of controls presented fairly, in all material\n                    respects, the relevant aspects of NFC controls. Also, in our opinion, the\n                    controls included in the description were suitably designed and operating\n                    with sufficient effectiveness to provide reasonable assurance that associated\n                    control objectives would be achieved if the described policies and procedures\n                    were complied with satisfactorily, and customer agencies applied the controls\n                    specified in the NFC description of controls.\n\nRecommendations\nIn Brief            We do not make any recommendations in this report.\n\n\n\n\nUSDA/OIG-A/11401-28-FM                                                                        Page i\n\x0cAbbreviations Used in This Report\n\n\nABCO                Administrative Billing and Collection System\nADMIN               Miscellaneous Administrative Systems Group\nCLER                Centralized Enrollment Clearinghouse System\nDPRS                Direct Premium Remittance System\nEmpowHR             Human Capital Management System\nID                  identification\nISA                 interconnection security agreement\nNFC                 National Finance Center\nNITC                National Information Technology Center\nPAS                 Payroll Accounting System\nPMSO                Position Management System\nPPS                 payroll/personnel system\nSAS                 Statement on Auditing Standards\nSETS                security entry and tracking system\nSSP                 system security plan\nST&E                security test and evaluation\nUSDA                U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/11401-28-FM                                             Page ii\n\x0cTable of Contents\n\nExecutive Summary ................................................................................................................................. i\xc2\xa0\n\nAbbreviations Used in This Report ....................................................................................................... ii\xc2\xa0\n\nReport of the Office of Inspector General ............................................................................................ 1\xc2\xa0\n\nExhibit A \xe2\x80\x93 National Finance Center Description of Controls ........................................................... 3\xc2\xa0\n\nExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls .......................................... 30\xc2\xa0\n\n\n\n\nUSDA/OIG-A/11401-28-FM                                                                                                                    Page iii\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTO:    Charles R. Christopherson, Jr.\n       Chief Financial Officer\n       Office of the Chief Financial Officer\n\nWe have examined the accompanying description of the controls referenced in exhibit A for the U.S.\nDepartment of Agriculture\xe2\x80\x99s (USDA) National Finance Center (NFC) and its subservice organizations\nother than the USDA National Information Technology Center (NITC). Our examination included\nprocedures to obtain reasonable assurance about whether (1) the accompanying description presents\nfairly, in all material respects, the aspects of NFC controls and the controls of NFC subservice\norganizations other than NITC that may be relevant to a customer agency\xe2\x80\x99s internal control as it relates\nto the audit of financial statements; (2) the controls included in the description were suitably designed\nto achieve the control objectives specified in the description, if those controls were complied with\nsatisfactorily and customer agencies and subservice organizations applied the controls specified in the\nNFC description of controls; and (3) such controls had been placed in operation as of June 30, 2008.\n\nNFC uses NITC for certain configuration management, contingency planning, maintenance, media\nprotection, physical and environmental protection, system and communication protection, and system\nand information integrity control activities for its Human Capital Management System (EmpowHR).\nThe accompanying description includes only the relevant control activities of NFC and its subservice\norganizations other than NITC and does not include NITC control activities. Our examination did not\nextend to NITC control activities, which were evaluated in our Statement on Auditing\nStandards No. 70 audit for NITC (Audit Report No. 88501-12-FM). The control objectives were\nspecified by NFC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based\non our audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nIn our opinion, NFC\xe2\x80\x99s description of controls in exhibit A presents fairly, in all material respects, the\nrelevant aspects of NFC that had been placed in operation as of June 30, 2008. Also, in our opinion,\nthe controls included or referenced in exhibit A were suitably designed to provide reasonable\nassurance that the specified control objectives would be achieved if the described controls were\ncomplied with satisfactorily and customer agencies applied the controls contemplated in the design of\nNFC\xe2\x80\x99s controls.\n\nUSDA/OIG-A/11401-28-FM                                                                            Page 1\n\x0cIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls to obtain evidence about their effectiveness in\nmeeting the control objectives during the period from July 1, 2007, to June 30, 2008. The specific\ncontrols and the nature, timing, extent, and results of our tests are identified in exhibit B. This\ninformation will be provided to customer agencies of NFC and to their auditors to be taken into\nconsideration, along with information about the internal control at customer agencies, when making\nassessments of control risk for customer agencies. In our opinion, the controls that we tested were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the\ncontrol objectives specified in the description of controls were achieved during the period from July 1,\n2007, to June 30, 2008.\n\nThe relative effectiveness and significance of specific controls at NFC and its subservice organizations\nother than NITC, and their effect on assessments of control risk at customer agencies, are dependent on\ntheir interaction with the controls and other factors present at individual customer agencies. We have\nperformed no procedures to evaluate the effectiveness of controls at individual customer agencies as\npart of this audit.\n\nThe description of controls at NFC and its subservice organizations other than NITC is as of\nJune 30, 2008, and information about tests of the operating effectiveness of specific controls covers the\nperiod from July 1, 2007, through June 30, 2008. Any projection of such information to the future is\nsubject to the risk that, because of change, the description may no longer portray the controls in\nexistence. The potential effectiveness of specific controls at NFC and its subservice organizations\nother than NITC is subject to inherent limitations and, accordingly, errors or fraud may occur and not\nbe detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is\nsubject to the risk that changes may alter the validity of such conclusions. Finally, the accuracy and\nreliability of data processed by NFC and the resultant reports ultimately rests with the customer agency\nand any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of NFC, its customer agencies, and their auditors.\n\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nSeptember 19, 2008\n\n\n\n\nUSDA/OIG-A/11401-28-FM                                                                            Page 2\n\x0c The subsequent sections of the report, Exhibit A (pages 3\n through 29) and Exhibit B (pages 30 through 44), are not\nbeing publicly released due to the sensitive security content.\n\x0c'